Dr.

Ayoub Alsarhan
Faculty of Information Technology
The Hashemite University
ayoubm@hu.edu.jo

© McGraw Hill, LLC 1

 Windows Forensics Analysis
• Open a command-line prompt; use the CD command to change
the working directory into the $Recycle.Bin folder under the C:\
drive. Display the folder contents using the DIR command
followed by the /a switch (to display hidden system files). These
commands are displayed in Figure. As we note from Figure, the
$Recycle.Bin contains four subfolders: these are SID subfolders
and correspond to the SID of the user who deleted the file. Each
subfolder is created the first time a user deletes a file that is sent
to the recycle bin.

© McGraw Hill, LLC 2

 Windows Forensics Analysis
• Now, to learn the name of the user account which owns a
specific SID subfolder, we need to use the following command:
• wmic useraccount get name,sid
• This will display all user accounts on the target machine, so now
we can learn which SID subfolder in the Recycle.Bin belongs to
the target user.

© McGraw Hill, LLC 3

 Windows Forensics Analysis
• After knowing which recycle bin belongs to the target account,
we can access it using the CD command. Use the DIR command
with the /a switch to display its contents . From Figure 7-10, we
can note that the target recycle bin has four files belonging to
two deleted files. As we already said, each deleted file has two
files in the recycle bin, a metadata file and the actual data
(recoverable data) of the deleted file.

© McGraw Hill, LLC 4

Investigating the deleted file’s metadata
• Now, let us investigate the deleted file’s metadata, also known as
index files (begin with $I), in the recycle bin of Windows Vista
and later using a free tool called $I Parse. To use this tool follow
these steps:
1. Go to https://df-stream.com/recycle-bin-i-parser/ and download the tool and
extract its contents (if it is zipped).

2. To use this tool, we need first to extract the recycled file metadata file. To do
this, type the following in the command prompt copy $I*
\users\nihad\desktop\recover.

3. Execute the $I Parse tool, go to File menu ➤ Browse…, and select the folder
that contains metadata files.

4. From the main program menu, click the Choose… button and select where to
save the output file (a file with CSV extension that will hold parsing results) .
Finally, click “Create CSV”; a success window will appear after parsing all files
is finished, and you are done!

© McGraw Hill, LLC 5

Data Carving
• Data carving is an advanced type of data recovery, usually used
in digital forensic investigations to extract a particular file
(using file’s header and footer information) from unallocated
space (raw data) without the assistance of any file system
structure (e.g., MFT). Data carving can be the only method to
recover important evidence files and fragments of files in a
criminal investigation where the file system that was originally
responsible for organizing these files on the hard drive is
missing or corrupted. Data carving is also needed when
extracting a file(s) from a captured network traffic stream.

© McGraw Hill, LLC 6

File Carving
• The following are some free tools for conducting file carving:
1. Foremost (http://foremost.sourceforge.net)
2. Scalpel (https://github.com/sleuthkit/scalpel)3. Jpegcarver
(www.seedstech.net/jpegcarver)
4. list of data recovery (including some file carving) tools from
forensics wiki (www.forensicswiki.org/wiki/Tools:Data_Recovery)

© McGraw Hill, LLC 7

Attributing an Action to Its Associated User Account
• Sometimes, a suspect Windows PC can have more than one
account, for example, one for Nihad, another for Rita, and the
third for Susan. For each account on a Windows PC, there is a
unique number that distinguishes it called the SID. By using this
SID, a digital forensic examiner can know which user account
conducted which action or when a particular user account
triggered a specific event. The MS-DOS command (wmic
useraccount get name,sid) can show us the available user
accounts and their associated SIDs of any Windows machine.

© McGraw Hill, LLC 8

Windows Registry Analysis
The registry is considered the heart of Windows OS; it contains
critical information needed by the operating system and installed
applications in order to function. Almost every action conducted by
a Windows user is stored in its registry in one way or another; this
makes the Windows registry a rich source of evidence that can be
extremely valuable for any digital forensic investigation.

© McGraw Hill, LLC 9

Architecture of Windows Registry
The registry is a hierarchical database that stores Windows system
configuration settings for hardware, software applications, and the
operating system in addition to the user’s preferences and the
computer’s and applications’ usage history. Registry data is
structured in a tree format, where each node in the tree is called a
key. A key can contain other keys (subkeys) in addition to data
values

© McGraw Hill, LLC 10

Windows registry structure
The Windows registry contains five root folders (also known as
hives). Hives are the first folders in the registry and appear on the
left side when you first open the registry editor and all other keys
are minimized

© McGraw Hill, LLC 11

Windows Registry Analysis
• Root hives are divided into two types with regard to their data
persistence: volatile and nonvolatile.
HKEY_LOCAL_MACHINE and HKEY_USERS keys are
nonvolatile and are stored on the hard drive, while the
remaining hives are volatile and should be captured while the
system is running in order to acquire useful information from
them..

© McGraw Hill, LLC 12

Windows Registry Analysis Methods
• Digital forensic investigators can examine the Windows registry
using two methods:
1. The registry is contained within a forensic image. In this way, the
computer forensic program will be used to investigate registry files
as you do when browsing files/folders using Windows File Explorer.
2. Live analysis (e.g., when booting up from the suspect forensic
image). In this method, you can access the registry as you do with
any computer using the Windows built-in registry editor.

© McGraw Hill, LLC 13

Windows Registry Analysis Methods
• If we are examining the Windows registry using a captured
forensic image, it is necessary to know where the registry files
are stored. Registry hives are located in
Windows\System32\Config folder, so if your OS is installed on
the C:\ drive, your registry files will be located in the
C:\Windows\System32\Config folder. After accessing this folder,
you will find many files (a separate file for each root hive and a
couple of supporting files for each one, except for the
HKEY_CURRENT_USER hive, as this one is stored in your
profile folder).

© McGraw Hill, LLC 14

Windows Registry Editor
• Windows comes equipped with a registry editor, which allows
any user with a dministrative privilege to view, edit, and back up
the Windows registry. To access the built-in registry editor,
follow these steps:
1. Press the Windows button and the R button (Win+R) to open the
Run dialog.
2. Type “regedit” and press OK.

© McGraw Hill, LLC 15

Acquiring Windows Registry
• To acquire target Windows machine registry using FTK Imager,
follow these steps:
1. Download AccessData FTK Imager 5 and transfer it into your
USB thumb drive.
2. Attach the USB drive that contains FTK Imager to the suspect
machine, open FTK Image, and go to File menu ➤ Obtain
Protected Files.
3. A new dialog appears; select where you want to store obtained
files, and check the option “Password recovery and all registry
files” (see Figure 7-16). Finally, click the “OK” button.

© McGraw Hill, LLC 16

Registry Examination
• Windows has a feature that allows programs to launch
automatically as it boots; this feature is necessary for some
applications like antivirus software that must run first to stop
any malicious software before Windows gets booted completely.
Malicious software like keyloggers and botnets can add entries
to the Windows registry in order to launch automatically with
each Windows boot. The Windows registry stores a record of
every program boot with Windows..

© McGraw Hill, LLC 17

Autoruns Tool
• Microsoft has a portable utility available to investigate all
autorun programs called Autoruns. This tool can be downloaded
from https://docs.microsoft.com/en-
us/sysinternals/downloads/autoruns.

© McGraw Hill, LLC 18

Registry Keys That Hold Information About Installed
Programs
• Installed Program Keys in the Windows Registry Learning what
programs are currently or were previously installed on the
suspect machine can be of a great value for forensic
investigators. For example, the existence of steganography and
encryption programs—or the leftovers belonging to such tools—
will give an indication that the suspect machine may contain
hidden data or simply was used to execute such programs.
Windows keeps records of all installed applications in the
following locations in the registry

© McGraw Hill, LLC 19